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Executive Summary 



The Blue Ribbon Commission to Establish a Comprehensive Internet Policy was created by law 1 
in the 1 st Regular Session of the 1 19 th Legislature. The Commission met and made several 
recommendations during the interim following the 1 st Regular Session, but found that it needed 
more time to fully address its charge. Therefore the commission recommended, and the 
Legislature approved, a bill reestablishing the Commission during the interim after the 2 nd Regular 
Session. 2 The Commission was co-chaired by Senator Carol Kontos and Representative Thomas 
Davidson, and consisted of 11 voting members and 6 non- voting members. 

Voting members included legislators and representatives of the telecommunications industry, the 
Maine State Bar Association, Internet service providers, the Maine Software Developers 
Association, the cable television industry and the Maine Civil Liberties Union. Nonvoting 
members of the Commission included representatives from the University of Maine System, the 
State Library, the Public Utilities Commission, the Public Advocate's Office, the Department of 
Economic and Community Development and the Secretary of State. 

The Commission reconvened on August 23, 2000 and met four additional times throughout the 
Fall of 2000. The Commission focused on issues relating to Internet privacy, including the need 
to provide Internet users with notice of how information is collected and used and the potential 
for state and local governments to lead the way in implementing fair information practices. The 
Commission received input on the issue from state information technology officials, private 
computer industry leaders, providers of information services to governmental entities, and 
consumer-related state agency officials. 

On the basis of its study, the Commission makes the following recommendations: 

A. Continuation of Commission Work 

The Commission recommends that a study group be convened in the next legislative 
interim to continue work on privacy issues and the coordination of state policy-making, 
to keep informed on developments in Internet use and technology, and to address new 
issues such as use of the Internet in the election process. The study group should be 
composed of parties with interest and expertise in these issues. 

B. State Electronic Information Policies 

The Commission recommends that the Department of Administrative and Financial 
Services report back to the joint standing committee having jurisdiction over 
information technology matters, the joint standing committee having jurisdiction over 
state and local government matters and the joint standing committee having 



1 Resolve 1999, chapter 89 

2 Public Law 1999, chapter 762, section 3 
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jurisdiction over appropriation matters by February 1, 2001 on coordination of 
electronic information policy-making within State government, including the duties and 
responsibilities of each information board and position, how the boards and positions 
relate, the activities that each board has undertaken and the policies that each board 
has established. The report must include any recommendations from the Department 
of Administrative and Financial Services for streamlining and enhancing coordination 
of the boards and positions, including possible consolidation of the boards and 
positions. In addition, the Department must report on the implementation of privacy 
policies for state agency websites. 

C. Consumer Privacy Advocate 

The Commission recommends that an independent entity in state government be given 
the role of educating consumers about information privacy, advocating for fair 
information practices in the public and private sectors and addressing citizen 
complaints. This would not be a regulatory agency, but an advisory, advocacy and 
technical assistance entity. The entity or position could be established within existing 
resources or could be newly-created. 

D. Notice of State and Local Government Information Practices 

The Commission recommends that the Legislature enact a law requiring state and local 
governments to adopt policies governing their collection and handling of personal 
information on the Internet and to include notice of those policies on their websites. 

E. Development of a Comprehensive Fair Information Practices Law 

The Commission recommends that the study group proposed in Recommendation A 
examine options for enacting a comprehensive privacy act governing collection and 
management of personal information by state and local governments via the Internet or 
any other method, and that the Commission draft and recommend such an act to the 
2 nd Regular Session of the 120 th Legislature. The act must include a provision for an 
audit of adherence to the requirements of the act, following a phase-in period. 

F. Uniform Computer Information Transactions Act (UCITA) 

The Commission recommends that the Legislature take no immediate action on the 
Uniform Computer Information Transactions Act (UCITA). 
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G. Monitoring Implementation of the Uniform Electronic Transactions Act (UETA) 

The Commission recommends that state agencies continue to review and track the 
impact on consumers and businesses of state and federal laws relating to electronic 
transactions. 



H. Include Information Collection and Handling in the Government Evaluation Act 

The Commission recommends that the State Government Evaluation Act be amended 
to include review of an agency's implementation of information technologies, their 
information collection and handling policies and practices, and how well those policies 
and practices adhere to the Fair Information Practice Principles of notice, choice, 
access, integrity and enforcement. 

I. Maine Governmental Information Network 

The Commission supports the Maine Governmental Information Network initiative as 
established by Public Law 1999, chapter 428 and supports providing assistance to 
municipalities to enhance their ability to offer services and information through the 
Internet. The Commission recommends that the study group recommended in 
Recommendation A evaluate the success of the "Rapid Renewal" pilot project being 
undertaken by InforME, the Secretary of State's Office and 10 Maine municipalities, 
and recommend funding, if any, for the Maine Governmental Information Network. 
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I. INTRODUCTION 



A. Commission Reestablishment and Charge 

The Blue Ribbon Commission to Establish a Comprehensive Internet Policy was originally 
established in the First Regular Session of the 1 19th Legislature by Resolve 1999, chapter 89. 
The Commission was convened in September of 1999 and completed its first interim of work 
in December of 1999. 

The charge to the Commission was broad. Due to the short time available for the 
Commission to complete its work and the complexity of the issues before it, the Commission 
decided to focus on issues relating to the following charges: 

• "E-commerce" (specifically, digital and electronic signature verification and 
amendments to Maine statutes to encourage electronic business transactions on the 
Internet); 

• "E-government" (specifically, payment of agency fees by credit card and other 
electronic means, requiring agencies to coordinate services on the Internet, and 
amendments to Maine statutes to encourage electronic governmental transactions on 
the Internet); and 

• "Internet access" (specifically, municipal government linkage to the Internet to 
coordinate access to services for Maine citizens). 

Please refer to the Final Report of the Blue Ribbon Commission to Establish a 
Comprehensive Internet Policy, December 1999. 

The following charges to the Commission were not addressed during the first interim: 

• Protection of Internet users' and citizens' privacy; 

• Mitigation of Internet abuses, including transmission of unsolicited bulk e-mail or 

"spam"; 

• Regulation of hate mail and pornography; and 

• Elimination of electronic crimes. 

The Commission felt that the issues that were not addressed, particularly Internet privacy, 
were important issues that required further study by the Commission. Therefore, the 
Commission recommended that the study group be reconvened following the 1 19 th 
Legislature's Second Regular Session. L.D. 2557, a bill reported out of the Joint Standing 
Committee on Business and Economic Development, and passed by the Legislature, was 
signed as Public Law 1999, chapter 762 on May 8, 2000. Chapter 762 amended Resolve 
1999, chapter 89 to authorize the Commission to meet following the conclusion of the Second 
Regular Session of the 1 19 th Legislature and required that the Commission submit its 2 nd 
report along with any implementing legislation to the First Regular Session of the 120 th 
Legislature. A copy of the amended resolve is included in Appendix A. 
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B. Membership 

The Commission's structure was unchanged by Public Law 1999, chapter 762. According to 
the enabling legislation, the Commission was to include 18 members: 12 voting members and 
6 nonvoting members. However, one legislative member who served on the Commission 
during the first interim was unable to continue serving and a replacement member was not 
appointed. Therefore, the Commission consisted of 17 members with 11 voting members, 
including legislators and representatives from the telecommunications industry, the Maine Bar 
Association, Internet service providers, the Maine Software Developers Association, the cable 
television industry and the Maine Civil Liberties Union. The 6 nonvoting members of the 
Commission included representatives from the University of Maine system, the State Library, 
the Public Utilities Commission, the Public Advocate's Office, the Department of Economic 
and Community Development and the Secretary of State. A list of Commission members is 
included in Appendix B. 

C. Scope and Focus of Commission Meetings 

The Commission reconvened on August 23, 2000, and held four additional meetings on 
September 27, October 20, November 1 and November 17, 2000. 

1 . At its first meeting, the Commission reviewed its duties, reviewed the status of their 
1999 recommendations, and received updates on agency actions taken to enhance e- 
government services, including presentations from the State Treasurer's Office, the 
Department of Economic and Community Development and InforME. Commission 
staff summarized federal and national activity in the area of e-government, including 
enactment of the federal "E-sign law'" the moratorium on Internet taxation, federal 
and state proposals regarding privacy and development of the Uniform Computer 
Information Transactions Act (UCITA). 

2. The second meeting of the Commission focused on privacy of information on the 
Internet. Commission staff presented information from the Center for Democracy and 
Technology (CDT), a non-profit group whose interests include Internet privacy. The 
Commission received a presentation from the Vice President for Governmental Affairs 
programs at IBM on the future of the Internet, consumer privacy and possible roles 
that government can play in enhancing Internet privacy. The Commission also 
received information on privacy policies relating to government websites from the 
Director of e-Government Initiatives at the National Information Consortium (NIC). 

3. The Commission continued its discussion of privacy of information on the Internet at 
its third meeting. The Commission reviewed other states' laws and policies requiring 
state agencies and other public entities to post privacy policies on their websites and 
discussed recommending a law requiring state and local agencies in Maine to post 
privacy policies complying with the fair information principles. The Commission also 
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discussed how to inform users about protecting their privacy when they use links to 
non-state sites. The Commission also discussed the possibility of creating a position 
within Maine State Government to be an advocate for consumers' privacy interests. 
The Commission received a presentation from Electronic Data Systems (EDS) on 
Internet security and cyber crime. Finally, a member of the Maine State Bar 
Association presented information about the Uniform Computer Information 
Transactions Act (UCITA). 

4. The fourth meeting of the Commission focused on formulating recommendations for 
the report. In addition, the Commission reviewed and discussed a chart prepared by 
staff concerning the different electronic information policymaking boards that exist in 
State government. Finally, Commission staff presented an analysis on the impact of 
the Federal "E-sign law" on Maine's Uniform Electronic Transactions Act (UETA), 
specifically in which areas the E-sign law preempts Maine's UETA. 

5. At its fifth and final meeting, the Commission took final action on recommendations 
and reviewed the draft report. 

The Commission spent a limited amount of time on the charges relating to electronic crimes, 
Internet abuses including "spam" and unsolicited email, hate mail and Internet pornography 
because of current federal legislative proposals being considered on these issues. The 
Commission members agreed that the State should wait and see what action, if any, the 
federal government might take on these issues, before Maine acts on similar proposals. 

II. IMPLEMENTATION OF THE COMMISSION'S 1999 RECOMMENDATIONS 

The Blue Ribbon Commission made a number of recommendations in its report to the 2nd 
Regular Session of the 1 19 th Legislature. When it reconvened in the 2000 interim, members 
wanted to be informed of which recommendations had been followed, and how they were being 
implemented. 

A. Uniform Electronic Transactions Act (UETA) 

The 1999 Blue Ribbon Commission recommended that Maine adopt the Uniform Electronic 
Transactions Act (known as "UETA"), to ensure the continued expansion of electronic 
commerce by providing certainty about the legal validity of electronic transactions and 
uniformity among the states. UETA was drafted by the National Conference of 
Commissioners on Uniform State Laws (NCCUSL), which recommended that it be enacted in 
all states. 

UETA removes legal barriers to the conduct of commercial, governmental and consumer 
transactions over the Internet. It validates electronic transactions by providing that electronic 
signatures and records, and electronically-formed contracts have the same legal force and 
effect as manual signatures, paper records and contracts formed non-electronically. 
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The model Act includes several provisions designed to clarify the workings of electronic 
business: 

• UETA applies only when the parties to the transaction have agreed to conduct 
business electronically; it does not require parties to accept electronic records or 
signatures; 

• UETA does not negate laws applying to the creation of wills, codicils and 
testamentary trusts, or Uniform Commercial Code titles other than the sales and 
leasing titles; any requirements for written records and manual signatures on 
documents governed by those laws prevail over UETA; 

• State laws requiring notices to be delivered, formatted or displayed in a certain manner 
also prevail over UETA; a law requiring that notice be sent to a consumer by first 
class mail with return receipt, must still be complied with; 

• Rules for understanding how business is done electronically are provided, such as rules 
for determining when a record is considered sent and received; the effect of an error 
in transmitting the record; and when a signature is attributed to a person and what 
attribution means; and 

• State and local governments can decide for themselves whether to conduct business 
electronically. 

The Maine Legislature followed the Commission's recommendation and enacted UETA in 
substantially the same form as the uniform law drafted by the NCCUSL. 3 In separate 
legislation, however, the Legislature altered the effect of UETA in Maine by exempting two 
types of records from the coverage of UETA: documents affecting title to real property and 
certain powers of attorney. 4 This legislation originated in the Joint Standing Committee on 
Judiciary, whose members were concerned about the integrity of real estate recording systems 
and of other important legal documents. 

While Maine and 22 other states considered and adopted UETA, Congress was considering 
national legislation to accomplish the same goal as UETA. In June of 2000, Congress passed 
and the President signed the Electronic Signatures in Global and National Commerce Act ("E- 
Sign"). 5 E-Sign does not preempt UETA, but it may have an impact in 3 areas of law in 
Maine. 

First, E-Sign impacts legislative attempts to preserve requirements for written records and 
manual signatures by exempting records from the coverage of UETA. Any Maine law that 



3 Maine Public Law 1999, chapter 762; effective August 11, 2000. 

4 Maine Public Law 1999, chapter 711. 

5 Pub. L. No. 106-229 (2000). 
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attempts to exempt a type of record other than those exempt from UETA or E-Sign would 
likely be invalid. Any future legislation must be evaluated on this basis. 

Second, E-Sign impacts some consumer notice laws. 6 Although UETA specifically preserves 
the validity of state laws that require notices to be delivered in a certain manner, E-Sign 
prohibits use of that UETA provision to "circumvent -Sign by imposing non-electronic 
delivery methods. This is interpreted to invalidate certain state laws that require notices to be 
mailed to consumers. Requirements for mailing utility shutoff notices, insurance cancellations, 
products recalls and other notices that are exempt from E-Sign may remain valid, but states 
may not be able to require mailing of consumer notices that are not exempt from E-Sign. This 
is one of the provisions of E-Sign that would benefit from further clarification. 

Finally, E-Sign may require state agencies to accept electronic signatures and records, despite 
the UETA provision that gives them the option of doing so. At least one prominent 
commentator appears to read E-Sign as taking away the option to continue to require manual 
signatures and written applications, reports and other records provided to state agencies. 8 

A memo addressing these issues is included as Appendix C. 

B. Credit Cards 

As individuals become accustomed to using the Internet for private transactions, more demand 
is being put on state agencies to provide services online. In response to that demand, state 
agencies are looking for acceptable ways for the public to pay for services delivered via the 
Internet. 

The Commission recommended that Maine law, 5 MRS A §1509- A, be amended during the 
Second Regular Session of the 1 19 th to require state agencies to implement procedures for 
accepting payment of goods, services, fines and other fees by credit cards or other electronic 
means. The Legislature followed the Commission's recommendation and enacted that 
provision in Public law 1999, chapter 762. Prior to that change in law, State agencies could 
accept payments by electronic means, but were reluctant to accept payment by credit card 
because credit card companies charge a merchant fee of 1% to 3% of the amount charged on 
each payment. This is a fee paid by the merchant (state agency) to the credit card company. 
These fees are expensive for state agencies to pay and Maine law does not allow an agency to 
pass that fee on to the consumer in the form of a surcharge. Therefobe, state agencies must 
absorb these costs within their existing budgets. In addition to Maine's prohibition on passing 
fees on to consumers, the major credit card companies do not allow governments to pass the 
merchant fee imposed by credit card companies to consumers. 



6 E-Sign applies to "transactions in or affecting interstate or foreign commerce," E-Sign, section 101. 

7 E-Sign, section 102 (c). 

8 Patricia Brumfield Fry, "A Preliminary Analysis of Federal and State Electronic Commerce Laws," available on 
the website of the NCCUSL (see appendix for reference). Professor Fry was chair of the drafting committee for 
UETA. 
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In response to the reluctance of state agencies to accept payments by electronic means due to 
the impact of merchant fees on their budgets, the Commission recommended in its 1999 report 
that the Office of the Treasurer of State initiate the following actions: 

1. Negotiate a lower merchant fee on credit card transactions; and 

2. Study and develop procedures to enable state agencies to accept payment for goods 
and services by electronic means. 

The State Treasurer reported to the Commission that the following actions have been taken 
on the recommendation that lower merchant fees be negotiated: 

• A new merchant fee of 2. 15% has been negotiated with VISA/MASTERCARD. The 
former merchant fee was 2.34%. The bank will use the data from the previous 6 
months to track the use of credit cards by state agencies and lower the merchant fee 
according to average ticket price. 9 As the average ticket price increases, the merchant 
fee is decreased based upon a negotiated scale. The agency is also negotiating with 
AMERICAN EXPRESS to receive a similar rate; 

• The Office of the Treasurer of State will pay the merchant fees for all state agencies 
for FY 2001 to allow agencies that do not currently accept credit cards and have not 
included the expense into their budgets, to accept credit cards for electronic payments; 
and 

• The Office of Treasurer of State has arranged for next day receipt of funds from credit 
card companies, which will enable the State to receive returns on the investment of 
these funds for an extra day. In the past, it has taken two days to receive receipts of 
funds. 

The State Treasurer reported to the Commission that the following actions have been taken 
on the Commission's recommendation that procedures be developed to enable agencies to 
accept payment for goods and services electronically: 

• The State Treasurer's Office is working with People's Heritage Bank to develop the 
Treasury Automated Management Information (TAMI) System, a paperless cash 
receipt and electronic banking system, to allow greater acceptance of electronic 
payments. TAMI will allow the electronic passage of funds and will allow for the 
receipt of a larger volume of electronic payments than can currently be handled by 
agencies, will save time by eliminating duplicate entry of deposits, will enable agencies 
to achieve more accurate accounting of electronic payments, and will enable the 
Treasury to reconcile payments with the bank as fast as electronic payments are 
received. TAMI is being developed by the Treasurer's Office with the assistance of 
Pine Tree Data Systems and the Bureau of Information Systems. TAMI is scheduled 
for statewide implementation July 1, 2001. 



9 Average Ticket Price is equivalent to the average number of credit card transactions divided by the average 
amount collected per transaction. 
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In addition, Public Law 1999, chapter 762 required the Bureau of Revenue Services and the 
Department of Professional and Financial Regulation to report to the Joint Standing 
Committee on Business and Economic Development and the Joint Standing Committee on 
Appropriations and Financial Affairs by January 20, 2001 on the budgetary impact of 
accepting credit card payments. The report must include the total number of agency 
transactions that included the use of credit cards, the dollar amount attributable to credit card 
transactions and the cost savings or loss to each agency. 

C. Municipal Linkage 

Increasingly, Maine citizens are demanding efficient delivery of government services at all 
levels of government. The use of technology by Maine citizens in both rural and urban areas 
of the State is also increasing. One way to satisfy citizens' demand for governmental services 
is to assist municipalities in increasing their use and access to technology. Currently, several 
hundred municipalities do not have technology in place to enable the coordination of 
government services using the Internet. 

The Internet can potentially provide small local governments with access to a wealth of 
information and services, and can provide the following: 

• Citizen access to community information and governmental services; 

• Enhanced communication among municipalities and between municipalities and other 
levels of government; and 

• An electronic link between local governments and state agencies to improve efficiency 
and accountability. 

1. The Maine Governmental Information Network Board 

The Maine Governmental Information Network Board was established by Public Law 
1999, chapter 428. The board was established to enhance electronic data exchange among 
state and local governments and other providers of governmental services. The board 
oversees the computer network that connects individual municipal governments and other 
governmental service providers. The board consists of seven members including the 
Secretary of State and the Director of the Bureau of Information Services, two public 
members, two members representing municipalities' interests and a member with technical 
expertise in electronic communications. The Office of the Secretary of State provides 
administrative support to the board and is responsible for all regular operations of the 
board. 

The board's powers and duties include the following: 

• Overseeing the construction and operation of a computer network to connect state, 
local and regional governments; 
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• Enabling electronic access to the electronic data resources of any state agency whose 
data enhances the delivery by a municipal government or county government of state 
services; 

• Providing grants to municipalities and counties for the purchase of computer 
hardware, software and peripherals necessary to connect the municipalities and county 
governments with state data and information systems; 

• Contracting to provide technical support to municipal and county information network 
participants; 

• Contracting to provide basic computer training and instruction in the operation of the 
statewide computer network; and 

• Employing consultants and accepting and using any funding available to the board. 

The majority of the board members have been appointed, but no funds have been 
appropriated to the Board. 

Chapter 428 also created the Maine Governmental Information Network Fund to carry out 
the purposes of the law. Limited funding of $1,000 for Fiscal Year 2000-2001 was 
allocated to the Fund. The Commission supported full funding of the Governmental 
Information Network in its 1999 recommendations. A proposal was made during the 
119 th Legislature Second Regular Session by the Governmental Information Network 
Board in L.D. 2510, An Act to Make Supplemental Appropriations and Allocations for 
the Expenditures of State Government and to Change Certain Provisions of the Law 
Necessary to the Proper Operations of State Government for the Fiscal Years Ending June 
30, 2000 and June 30, 2001 , to appropriate $1,500,000 to the information network fund, 
but the funding was not finally approved by the Legislature. 

2. Rapid renewal pilot project 

The Secretary of State's Office and InforME have been working with municipalities on an 
e-government initiative that would allow citizens to register their motor vehicles and pay 
their excise taxes online. Initially, the service will be offered as a pilot program in 10 
towns and cities throughout Maine. The pilot municipalities are: Bangor, Brunswick, 
China, Corinna, Hermon, Holden, Lewiston, Portland, Saco and Waterville. The 
municipalities have agreed to absorb the credit card merchant fees for the excise tax 
portion of the registration. The pilot project is expected to go into effect at the end of 
November 2000. 
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III. OVERVIEW OF ISSUES DISCUSSED 



A. Internet Privacy 

More and more people are using the Internet to conduct commercial, educational and 
governmental business. According to a recent federal report, up to 90 million Americans use 
the Internet on a regular basis. 10 And changes in technology will soon allow us to 
communicate electronically from a number of locations. The desktop computer will not be the 
only way you'll enter the World Wide Web; you may have a computer in your wristwatch, 
your telephone, your television, even your eyeglasses! 

With the increase in Internet use has come an increase in concerns about privacy of personal 
information. Information moves in both directions on the Internet — while the user is 
collecting information from an Internet website, the website is often collecting information 
about the user, often without the user's knowledge. Legitimate website operators use the 
information to target their marketing efforts and to improve services. Others can use the 
information to steal identities, divert funds and threaten personal safety. 

In a survey cited in a recent Federal Trade Commission report, 92% of consumers said that 
they were concerned about misuse of personal information online. 11 In another survey, 
conducted for the IBM Corporation, 95% said they were concerned about misuse, and 80% 
said they felt that they had lost all control over personal information. 12 

Public policy-makers and private businesses around the country and the world are devoting 
substantial resources to addressing concerns about privacy, to protect consumers from 
improper uses of information while enabling the Internet to reach its full potential for 
providing electronic commerce and government services. 

Commission members considered privacy of personal information to be one of the key issues 
to be addressed during this study. They sought to review efforts underway on the national 
level and to learn what Maine policymakers can do to protect Internet users in this unique 
global marketplace. 

1. Computers and the rise of privacy concerns in the 1970's 

Although the Internet has increased the speed and ease with which information can be 
collected, it did not create public concern about privacy of personal information. That 
concern existed well before the Internet was developed. Concern over information 
privacy even pre-dates computers, although their increasing use brought forth the first 
major efforts on the federal level to regulate information practices. 



U.S. Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace. A 
Report to Congress ., May 2000, p. 1. 

1 1 same as note 8, p. 2. 

12 IBM Multi-National Consumer Privacy Survey, prepared by Louis Harris & Associates (October 1999). 
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In 1972, the Secretary of the United States Department of Health, Education and Welfare 
created an advisory commission to explore the impact of computers on the collection of 
personal information by public and private organizations. The advisory commission found 
the most important and most troubling impact of computer data-gathering was the feeling 
that individuals had lost control over the use of personal information about themselves. 13 

To address this impact, the advisory commission articulated a "Code of Fair Information 
Principles", consisting of the following 5 principles. 

(1) There must be no personal data record-keeping systems whose very existence is 
secret. 

(2) There must be a way for an individual to find out what information about that 
person is in a record and how it is used. 

(3) There must be a way for an individual to prevent information about him obtained 
for one purpose from being used or made available for other purposes without that 
person's consent. 

(4) There must be a way for an individual to correct or amend a record of identifiable 
information about that person. 

(5) Any organization creating, maintaining, using or disseminating records of 
identifiable personal data must assure the reliability of the data for their intended use 
and must take reasonable precautions to prevent misuse of the data. 14 

2. Widespread acceptance of the principles of fair information practice 

The principles articulated by the Secretary of HEW have been incorporated into 
information management policies by public and private organizations around the world. 
They formed the basis for the Federal Privacy Act of 1974, which governs collection and 
use of personal information by federal agencies. 15 Similar laws governing state agency 
practices have been adopted in a number of states, including California, Minnesota, New 
York and Virginia. 16 The laws include provisions to address the principles of fair 
information practice, which have been boiled down to 5 key words, with the following 
descriptions: 



Summarized in Personal Privacy in an Information Society. The Report of the Privacy Protection Study 
Commission , July, 1977, p. 501. (The Commission was created by the Federal Privacy Act of 1974, PL 93-579). 

14 U.S. Department of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal 
Data Systems, Records, Computers and the Rights of Citizens (Washington, D.C., 1973). 

15 Pub. L. No. 93-579. 

16 Cal. Civil Code, Title 1.8, chapter 1 (Information Practices Act of 1977); Minn. Stat. c. 13 (Minnesota 
Government Data Practices Act); Cons. Laws of N.Y. Annot., Public Officers Law, Art. 6A (Personal Privacy 
Protection Law); Code of Va., Title 2.1, chapter 26 (Privacy Protection Act of 1974). 
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• NOTICE: Data collectors must disclose their information practices before collecting 
personal information from consumers; 

• CHOICE: Consumers must be given options with respect to whether and how 
personal information collected from them may be used for purposes beyond those for 
which the information was provided; 

• ACCESS: Consumers should be able to view and contest the accuracy and 
completeness of data collected about them; 

• SECURITY: Data collectors must take reasonable steps to assure that information 
collected from consumers is accurate and secure from unauthorized use; and 

• ENFORCEMENT: There must be a reliable mechanism to identify and impose 
sanctions for noncompliance with these fair information principles. (This principle is a 
fairly recent addition to the list, and is not always included in the list of Fair 
Information Practices principles.) 

3. The Internet and data collection 

While computers made information collection faster and easier, the Internet has enabled 
collection to be invisible to the user and, often, involuntary. The Center for Democracy 
and Technology, an independent non-profit organization active in tracking and developing 
Internet policy, describes the threat to privacy this way: 

The Internet is a microcosm of the debate over privacy and technology's impact on the 
collection of personal information. Internet use generates detailed information about 
individuals - revealing where they "go" on the Net (via URLs), whom they associate 
with (via list-servs, chat rooms and news groups), and how they engage in political 
activities and social behavior. Various tracking tools can mine and manipulate your 
online data trail (or "clickstream") to build a detailed database of personal information 
without your knowledge or consent. 17 

The ability of Internet site operators and 3 rd party advertisers to collect this information 
without knowledge or consent of the individual creates risks such as the following: 

• A network advertiser can place a cookie on your computer to collect information 
about your browsing activities over a sustained period of time, gathering hundreds of 
bits of information and combining that with information from off-line sources to create 
a complex profile of you that you may consider to be inherently intrusive; 



17 

CDT's Guide to Online Privacy. Chapter One: Getting Started . Found on the Internet at 
w w w . cdt.org/privacy/ guide/start/. 
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• Your employer can purchase a list of the books you've purchased online, combine that 
with your membership in various organizations, and draw inferences about your 
political interest and leanings, which may not be to his or her liking; and 

• A stalker can learn your address, phone number and vacation plans. 
4. National efforts to protect privacy 

Efforts to address Internet users' concerns are underway on a number of fronts - there 
are legislative proposals, technological innovations and voluntary industry efforts. 

(a) Federal studies and legislation 

On the federal level, the Federal Trade Commission has tracked the development of 
the Internet and its impact on businesses and consumers, and has reported its findings 
to Congress almost annually since 1995. One of its earliest reports recommended that 
information collection from children be regulated nationally, and Congress responded 
by passing the Children's Online Privacy Protection Act. 18 The FTC delayed 
recommending legislation on the collection of personal information from adults, 
deferring to voluntary efforts by Internet advertisers and website operators to improve 
their information collection practices. However, in its July 2000 report, Online 
Profiling: A Report to Congress , the FTC recommended by a 4-1 vote that Congress 
enact legislation to require notice of "online profiling" practices and to provide 
consumer choice. Congress has not enacted legislation regulating online profiling to 
date. 

Congress has responded to concerns about particular types of information in particular 
industries, notably financial and medical information. The Financial Services 
Modernization Act (popularly referred to as the 'Gramm-Leach-Bliley Act') 19 
regulates the sharing of personal information by banks, insurers and other financial 
institutions. It requires financial institutions to notify their customers that they intend 
to share the personal information about the customer with companies not affiliated 
with the institution. The institution must allow the customer to "opt-out" of the 
information sharing. Federal and state regulators, including the Maine Bureau of 
Insurance, are working on regulations to implement the requirements of this law. The 
requirements of the law will take effect July 1, 2001. 

Medical information in electronic form is governed to some extent by the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA). 20 One of the important 
goals of the Act was to simplify administration of health care by providing for 
standardized, electronic transactions. Regulations implementing this administrative 
reform require data custodians to use the records only for legitimate health purposes 



15 U.S.C. § 6501 et. seq. 

Pub. L. No. 106-102, codified at 15 U.S.C. sec. 6801 et. seq. 
Pub. L. No. 104-191, codified at 42 U.S.C. 1320d- 1320d-8. 
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and to provide security to prevent misuse or improper disclosure. The regulations also 
allow consumers to see and correct their records and to know who has received the 
records. 



(b) State legislation 

Legislation has been introduced in a number of states as well. To date, no state has 
enacted a law regulating online profiling or data collection by privately-operated 
websites. The laws that have been enacted have sought to control the practices of 
entities over which the State clearly has control: state and local website operators. 
Virginia law requires all public bodies maintaining a website to develop and post their 
privacy policies on their websites. 21 The policies at a minimum must address what 
information is collected and how it is to be used. Maryland law also requires posting 
of privacy policies of state agencies and encourages county and municipal entities to 
do the same. 22 The policies must conform to Maryland's privacy law, which 
incorporates most of the fair information practices described in section A (2) of this 
report. The Maryland law requires executive agency data custodians to collect 
information directly from the individual who is the subject of the information, and to 
inform that person of: 



• The purpose for which the information is being collected; 

• Any consequences for refusing to provide the information; 

• The right to inspect, amend or correct personal information about that person; 

• Whether the information is available for public inspection; and 

• Whether it is shared with, or transferred to, any other entity. 23 

In Washington State, Governor Gary Locke accomplished the goal of improving 
agency information management practices by issuing an Executive Order requiring 
state agencies to take a number of steps to protect personal information, including 
posting privacy notices on their websites. 24 

Other efforts on the state level included proposals to educate consumers, prohibit 
disclosure of certain personal information by Internet service providers, prohibit an 
employer from monitoring an employee' s e-mail and require private websites to 
include privacy policy notices. 

(c) Maine government efforts 

Many state agencies are in the process of reviewing their data management practices, 
to enable them to increase their efficiency by using electronic systems while ensuring 
protection of confidential information. The departments of Labor, Corrections and 
Human Services in particular are working to protect the security of their databases 



Code of Va. §2.1 -380, p. 
Annot. Code of Md. §10-624 (C) (4). 
Annot. Code of Md. §10-624 )(C)(3). 
Washington State Executive Order; EE-00-03, April 2000. 
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with cross-agency confidentiality agreements, password protections and other security 
measures. Often this work is performed by staff funded by the federal government, 
which sets rigid standards for how information is managed in federally-funded or 
federally-regulated programs such as unemployment compensation and Medicaid. 

(d) Voluntary industry efforts 

website operators and advertisers have undertaken voluntary programs to alleviate 
consumer concerns about privacy, primarily focusing on seal programs and 
development and posting of privacy policies. 

Private companies such as TRUSTe and BBBOnline offer online seal programs, under 
which a website that agrees to comply with fair information practices and to submit to 
3 rd party monitoring, can display a seal on their sites alerting consumers that they meet 
the standards of the certification company. 

Commercial websites are also posting notice of their information practices in 
increasing numbers. In 1998, while 92% of sites in a random sample were collecting 
personal information about users, only 14% revealed that they were doing so. 25 By 
2000, the number of sites informing users that they were collecting information had 
increased from 14% to 88%. Both surveys indicated that the posting of notices by the 
100 most popular commercial websites was higher than in the random sample: 71% 
posting in 1998 and 100% in 2000. 26 

(e) Technology 

Finally, technology offers several tools for consumers to protect their privacy. 
Consumers can block websites from placing "cookies" on their computers or hide their 
identity altogether using currently-existing technologies with clever names like 
"Anonymizer" and "Cookie Crusher." Another technology being developed would 
alert consumers whenever a website they are accessing lacks the privacy protections 
that the consumer wants. The technology is called the Platform for Privacy 
Preferences, or "P3P". See Appendix D for a list of technology tools. 

5. Advice to the Commission from industry participants 

The Commission invited representatives of commercial participants and non-profit 
watchdog organizations to give their perspectives and advice on privacy issues to the 
Commission. 



(a) International Business Machines Corporation 

Chris Caine, Vice President of Governmental Programs at the IBM Corporation, 
addressed the Commission at its September 27 th meeting. He reviewed the results of a 
multinational survey of public attitudes toward the Internet and privacy, conducted for 
IBM. The survey found that, while Internet users are overwhelmingly concerned 



U.S. Federal Trade Commission, Privacy Online: A Report to Congress June 1998. 
26 U.S. Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace. A 
Report to Congress , May 2000. 
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about misuse of information collected on the Internet, the majority of them also 
support the personalized marketing that such information collection makes possible. 27 
This combination of attitudes shows that the answer to users' concerns is not to stop 
collecting information, but to engage in a dialogue among Internet users and data 
custodians to find the right balance. Mr. Caine suggests that the solution to privacy 
concerns is a combination of market-based mechanisms, laws and technology. 

One of the most effective regulators of private sector information practices is the 
market itself, says Mr. Caine. Consumers will gravitate toward the websites of 
companies that respect their privacy preferences; companies that fail to do so will not 
survive. Companies that understand the importance of privacy to consumers have 
already engaged in voluntary efforts to address consumer concerns, including the 
adoption of seal programs and adoption of privacy policies that incorporate the 
principles of fair information practices. 

Technological solutions also hold great promise. Mr. Caine provided the Commission 
with a list of 27 privacy-enhancing technologies, many of which are free to all 
consumers. These technologies allow the consumer to take an active part in 
protecting privacy. 

IBM has taken a number of steps to promote privacy protection. It has adopted high- 
quality privacy standards worldwide; it uses its significant advertising market power to 
encourage use of privacy notices by advertising only on websites that have privacy 
notices; it helps develop technologies; assists business and government customers to 
establish privacy strategies and programs; and leads industry efforts such as the Online 
Privacy Alliance and the Privacy Leadership Initiative. 

Industry can do more, says Mr. Caine, by incorporating more fair information 
practices in their privacy notices, making privacy notices more clear and conspicuous, 
adopting online seal programs and continuing to educate consumers and companies 
about privacy. 

Government has a role to play, too, but not necessarily a heavily regulatory role, 
according to Mr. Caine. Global media like the Internet are not governed effectively by 
state patchworks. It's not even clear what legal authority states have to regulate the 
Internet, since due process requires that a regulated entity have a certain level of 
contact or relationship with a state before the state can exercise jurisdiction, and the 
law is not yet clear on how a state can exercise jurisdiction over cyberspace. 

Among the recommendations that Mr. Caine made were for state and federal 
governments to do the following: 



IBM Multi-National Consumer Privacy Survey, prepared by Louis Harris & Associates (October 1999). 

Comprehensive Internet Policy • 15 



• Lead by example: Adopt leading-edge fair information principles governing 
information collection, use and management by governmental entities; 

• Crack down on identity theft and fraud; 

• Balance a citizens' privacy rights with government access to information; 

• Complete federal legislative action on 2 areas of particularly sensitive 
information - medical information and financial information; 

• Support research and technologies related to privacy; and 

• Educate citizens. 

(b) Center for Democracy and Technology 

The Center for Democracy and Technology is an independent, nonprofit organization 
that tracks and participates in the development of Internet policy. The Commission 
had invited staff from the Center to address the Commission, but scheduling conflicts 
prevented Paula Bruening, a staff attorney for the Center, from attending the 
scheduled meeting. Nonetheless, Ms. Bruening sent along some comments and advice 
to the Commission. She advised the Commission to focus on making sure 
governmental information practices respect the privacy of citizens and on helping 
consumers understand the threats to their privacy and how to protect themselves when 
they use the Internet. The Center does not discourage states from experimenting with 
other ways to address privacy concerns, but it is difficult for states to effectively 
regulate the Internet because a State's jurisdiction over the Internet is not clear. Also, 
although federal legislation is not likely to be enacted this year, the federal government 
is likely to act next year, and their efforts will probably preempt state laws on this 
issue. 

(c) National Information Consortium - eGovernment service providers 

Kara LaPierre is Director of eGovernment Initiatives for the National Information 
Consortium (NIC), a company that provides electronic government services to several 
states, including Maine. NIC is the network manager for InforME, the official State of 
Maine webpage. Ms. LaPierre told the commission about NIC's involvement in the 
eGovernment Web Privacy Coalition, a group of government organizations and 
technology providers that will develop a set of standards for information practices on 
governmental websites and will develop a certification program for government 
websites, which will be similar to the seal programs operated by TRUSTe and 
BBBOnline in the private sector. 

Ms. LaPierre responded to data from a Brown University study showing that 
governmental websites rarely have privacy policies that adhere to the fair information 
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practices. She said that although the number of states that post privacy policies is 
small (17), the number has increased. She also said that governmental websites have 
constraints that private sites do not, namely state freedom of information laws, which 
require disclosure of information. 

She urged the Commission to respond to citizen concerns about collection of 
information by government websites by weighing the benefit to government and 
citizens from transacting certain business over the Internet with the risk to individual 
privacy. Some data elements may not be appropriate for the Internet, or may need to 
be kept private to guard against development of a complete profile that would violate 
privacy. 

6. Commission discussion 

Commission discussion following the presentations on September 27 th focused on three 
issues: the need for a resource in state government to study and advocate for consumer 
privacy; the need for adoption and posting of privacy policies on Maine governmental 
web pages; and the need for a comprehensive privacy act to govern information collected 
by state agencies by any method - electronic or otherwise. Commission findings and 
recommendations on these issues are found in IV of this report. 



B. Protection of Consumer Privacy 

As more and more personal information becomes available electronically, consumers are 
becoming concerned about how that information is being used by others. Consumers are also 
concerned about who will protect their privacy interests. Currently, Maine State Government 
does not have a position that focuses specifically on privacy issues and consumer protection of 
privacy. Although there are several state agencies that are charged with protecting the public 
from fraud, crime and unfair practices, including the Attorney General's office, the Bureau of 
Consumer Credit Protection and the Public Advocate, these agencies have specific and limited 
jurisdictions. A privacy advocate position or a consumer ombudsman would receive and 
investigate complaints about confidentiality of information and provide legal representation, if 
necessary; make recommendations concerning privacy issues to policy-makers; assist both 
public and private entities in the development of policies and procedures to protect 
confidentiality; and conduct research, coordinate state agency handling of personal data and 
educate the public. Although the Commission members did not decide upon a specific 
location within State government for this type of position, the members did agree that the 
position should be independent from political and private influences, much like the Public 
Advocate's Office. 



West, Assessing E-Government: The Internet, Democracy and Service Delivery by State and Federal 
Governments . Brown University. September 2000. (Found on the web at 
www.InsidePolitics.org/egovtreportOO.html ). 
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1. Federal and state actions 

Several states, including Hawaii and California, have recently created consumer advocate 
agencies within their state government to address consumer privacy concerns. Hawaii 
created an Office of Information Practices in 1998 to enforce its Uniform Information 
Practices Act, including the responsibility to investigate consumer complaints concerning 
governmental treatment of information requests and the responsibility to inform citizens 
about what privacy and information rights exist in the governmental arena. 29 California in 
September 2000 created the Office of Privacy Protection within the Department of 
Consumer Affairs to protect the privacy of individuals' personal information by identifying 
consumer problems and facilitating development of fair information practices, including 
educating the public about options for protecting their personal information. In addition, 
the California legislation requires each state agency to adopt a privacy policy and to 
designate a position responsible for the enforcement of the agency's privacy policy. 30 

On the Federal level, the United States Department of Justice enforces the Federal Privacy 
Act, and has established a Chief Privacy Officer position to oversee the Act's 
implementation and enforcement. In addition, Attorney General Janet Reno established a 
Privacy Council within the Department of Justice to advise department officials and 
Congress on privacy issues. The Council is reviewing a number of issues related to 
privacy, including the Department of Justice's compliance with the Federal Privacy Act; 
the sharing of information among federal, state, and local law enforcement agencies; and 
the impact of new law enforcement technology on individual privacy. 

2. Other governmental actions 

Canada has been a leader in the protecting consumer privacy. The Canadian government 
has a Privacy Commissioner whose role is to be an ombudsman for Canadians in their 
privacy concerns, to represent and advise Parliament on those issues and to serve as the 
primary national resource for research, education and information on privacy. The Privacy 
Commissioner is appointed by Parliament and serves as an independent resource. In 
addition, the majority of Canada's provinces have established their own comprehensive 
privacy policies and the Legislature in each province appoints a person to enforce that 
province's privacy act. 

3. Private businesses actions 

Following several recent lawsuits concerning the use of consumers' information by online 
businesses, and new laws and regulations concerning privacy, private sector companies are 
paying attention to consumers' privacy concerns and are creating "Chief Privacy Officer" 
(CPO) positions to coordinate and oversee their privacy-related activities. The CPO 
positions report to the company Chief Executive Officer and are responsible for oversight 
of network security, keeping abreast of regulations and guidelines concerning online 



Hawaii Revised Statutes §92F-41, §92F-42. 
2000 California Statutes, Chapter 984. 
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privacy and ensuring that the policies are being enforced throughout the company. Chief 
Privacy Officers are being hired from the university community and are also being 
promoted from government affairs and policy positions within companies. Corporations 
such as American Express, Citigroup Inc, Electronic Data Systems (EDS), Microsoft, 
Prudential Insurance Company and American Telephone and Telegram are just a few of 
the companies that have recently hired chief privacy officers. In addition, a newly created 
Association of Privacy Officers has been created by both online and offline businesses to 
provide support and services to its members, with a focus on their professional 
development and education on privacy developments. 



C. Uniform Computer Information Transactions Act 

The Uniform Computer Information Transactions Act (UCITA) is a model state law that 
seeks to create a unified approach to licensing of transactions involving computer software 
and electronic information. UCITA establishes a new commercial law for creating, modifying, 
transferring or licensing computer information, including the purchase of computer software, 
computer games, on-line databases, multimedia products and the distribution of information 
over the Internet. 

1. Development of the uniform law 

UCITA was drafted and approved for adoption in the states by the National Conference of 
Commissioners on Uniform State Laws ("NCCUSL"). NCCUSL is comprised of lawyers, 
judges, law professors and other experts appointed by the states and includes 
representatives from each state. NCCUSL' s primary task is to determine the areas of the 
law that would benefit from uniformity, and to develop and recommend uniform laws to 
state legislatures for enactment. The UCITA drafting committee originally proposed a 
new article to the Uniform Commercial Code (UCC) that was referred to as UCC Article 
2B or UCC 2B. The American Law Institute (ALI) was working with NCCUSL to draft 
the new Article 2B provision, but because of controversy over a perceived imbalance and 
lack of fairness to software users, the ALI wanted fundamental revisions in Article 2B's 
provisions that impacted consumer rights. When agreement between NCCUSL and ALI 
could not be achieved, the ALI withdrew from the Article 2B process. NCCUSL then 
renamed UCC 2B to UCITA, continued drafting the model Act and adopted UCITA in 
July of 1999. UCITA raises a number of complex legal and operational concerns, and 
therefore has generated controversy since the model law was adopted. 

2. Proponents of UCITA 

Proponents of UCITA, including the software industry, state that the purpose of the Act is 
to enhance commerce in an economy that is becoming increasingly dependent upon 
information services, and to enable and support expanding commercial practices. 
Proponents argue that UCITA will bring predictability and uniformity to licensing. 
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Without UCITA, developers of software and information say that they will be less able to 
control the use and copying of information that they have created. Uncontrolled use and 
copying prevents the information developer from receiving fair value for his or her 
product, and discourages developers from putting effort into developing other information 
products. This loss of development would be a detriment to the economy and to the 
development of information resources. Proponents see the role of a contract changing as 
more and more commercial business is conducted electronically. According to Professor 
Raymond Nimmer, the chief drafter of UCITA, the contract will control the quality and 
character of the product because the contract will be the product. 31 UCITA does contain 
a list of existing contract law rules that are not altered by UCITA. 

3. Opponents of UTICA 

Opponents of UCITA include consumer organizations, insurance companies, state 
attorneys general, state bar associations, libraries, the entertainment industry and 
consumer groups. Many opponents of UCITA question whether the Act is necessary or 
whether it may be premature. Opponents believe that existing common law and copyright 
law are developing appropriately to handle the new types of information-based 
transactions emerging in the information economy. Among the specific concerns of the 
opponents of UCITA are the following: 

• UCITA could validate "shrink-wrap" licenses - agreements that accompany software 
programs and that are enclosed with the product in shrink-wrapped cellophane and 
"click-on" licenses. Purchasers see such a license for the first time after purchasing the 
product and after the purchaser has already agreed to the license terms. 

• UCITA introduces uncertainty regarding the duration of the acquirer's right to use the 
licensed software; 

• UCITA could permit the vendor to restrict the number of users under an enterprise- 
wide license. Currently, software licenses have permitted an unlimited number of 
users; 

• UCITA' s "self-help" remedy allows software vendors to shutdown software remotely 
without going to court first and without court approval if the vendor feels the license 
agreement has not been met; 

• UCITA could restrict a user to a limited period to discover defects in the software, 
thus impacting warranty protections under current law; and 

• UCITA could have an impact on copyright law, including how material can be used 
and duplicated. 

4. State Actions on UCITA 

Two states — Maryland and Virginia - have enacted UCITA as state law. Virginia 
enacted UCITA in March 2000, but with a delayed implementation date of July 1, 2001. 
A study commission will examine UCITA' s impact on businesses, libraries and consumers 



31 Professor Raymond Nimmer presentation on UCITA to the Maine Legislature, Fall 2000. 
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before the implementation date. Maryland was the second state to enact UCITA. The 
Maryland General Assembly enacted UCITA in April 2000 and established its 
implementation date as October 1, 2000. Maryland's legislation amended the model Act 
to include new provisions that apply consumer protection laws to software licensing. In 
addition, the Maryland legislation created an oversight panel to provide an on-going 
review of UCITA. 33 

The Iowa Legislature, concerned about the potential impacts of UCITA on businesses and 
others in the State, amended their Uniform Electronic Transactions Act (UETA) to 
protect Iowa citizens from UCITA' s provisions. The provision declares voidable the 
choice of UCITA as the governing law, and substitutes Iowa law if the person against 
whom enforcement is sought is an Iowa resident. 34 Language was also added in the Iowa 
legislation to sunset this provision in July 1, 2001. In addition, the legislation recommends 
that the Iowa Legislature consider UCITA in the 2001 session. 

Five other states and the District of Columbia considered UCITA legislation this year, but 
did not enact UCITA into law. 35 

D. Coordination of Electronic Information Policymaking 

Currently, there are several policymaking bodies established within State government that are 
responsible for setting policies and standards concerning electronic information. These bodies 
are the Information Services Policy Board, Information Resource of Maine Board, the 
Information Systems Managers Group and the Maine Criminal Justice Information System 
Policy Board. A chart that depicts the different policymaking boards and positions 
based on statutory language is contained in Appendix E. 36 

1. Information Services Policy Board 

The Information Services Policy Board (ISPB) was created by the Legislature in 1988 to 
assist the Commissioner of Administrative and Financial Services with information 
technology policies and procedures. 37 The board consists of 1 1 voting members and 8 
advisory members. The voting members represent Commissioners of the Department of 
Administrative and Financial Services, Human Services, Labor, Transportation and the 
Secretary of State; four members appointed by the Governor from the Executive 
Department; and two members appointed by the Governor who are involved with 
information technology companies. Advisory members represent the Legislature, the 



32 Title 59.1 Code of Virginia, Chapter 43. 

33 2000 Maryland Laws, Chapter 11. 

34 Iowa 2000 legislation, HF 2205, sec. 4. 

35 Delaware SB 307; D.C. 13-607; Hawaii HB 2373, SB 2385; Illinois SB 1039; Oklahoma SB 1337; New Jersey 
SB 1201. 

36 The chart was created from the statutory language which established each board or position and is not meant to 
show all relationships that exists between the boards and positions. 

37 5 MRSA§1891. 
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Judiciary, Maine State Housing Authority, the Finance Authority of Maine, the Maine 
State Retirement System, the Maine Turnpike Authority, the University of Maine System 
and the Maine Technical College System. The chair of the board is appointed by the 
Governor from an Executive Department and is currently the Commissioner of 
Administrative and Financial Services. The Director of the Bureau of Information 
Services and the newly-created Chief Information Officer position provide assistance to 
thelSPB. 

The duties of the board include establishing written standards related to geographic 
information systems, data processing and telecommunications; developing strategic and 
departmental planning processes; development and approval of rules, policies and fees; 
review of information processing and telecommunications operations in State 
Government; and making recommendations to the Governor, the Commissioner and other 
agency heads for improving services and efficiency and for reducing costs. Among the 
policies and standards that the ISPB has established for state agencies are: Policy on 
Access to Public Records, Policy on Administration of Standards, Internet and E-mail 
Policy, Computer Virus Policy, Fee Setting Policy, Use of Software on State Computers, 
and Use Statement of Principles and the Electronic Commerce Data Interchange 
Standard. 

2. Information Resource of Maine (InforME) Board 

In 1996, an interagency subcommittee was created by the Information Services Policy 
Board to review how public information was being disseminated by state government and 
to recommend actions that the ISPB could take to increase access to public information. 
The Public Access work group recommended that a new value-added service be 
established to create a mechanism governing agencies' charges for value-added access to 
public information. The Attorney General opined that the Legislature was required by law 
to authorize the new value-added service. Therefore, the ISPB convened a team to draft 
legislation to submit to the Legislature that created the new value added service. The 
legislation was approved by the ISPB in January 1998 and was submitted to the 
Legislature for enactment. The Legislature created the Information Resource of Maine 
(InforME) in the Public Information Access Act, which called for the establishment of a 
long-term public/private partnership to build a gateway network to public information. 38 

InforME is run by a Network Manager whose contract is approved by the InforME board. 
In April of 1999, New England Interactive, a subsidiary of the National Information 
Consortium (NIC) was awarded the contract to manage InforME. The Network is 
operated with oversight by the InforME Board. The InforME Board is a 15-member 
entity that combines government and private business interests, education and association 
representation. Board members include state agencies that are major data custodians, a 
representative from the University of Maine System, one member from an association of 
municipalities, a non-profit organization advancing citizens' rights of access to 
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information, a representative from the libraries, a representative from the Maine Trial 
Lawyers Association, a representative from the Maine Association of Realtors and a 
representative from the Maine Bankers Association. The Secretary of State is the current 
chair of the InforME board and staff services are provided by InforME and the Secretary 
of State' s office. 

InforME is funded through negotiated portions of existing statutory fees and the sale of 
value-added services. No General Fund money is appropriated to InforME. Agencies 
voluntarily enter into Service Level Agreements (SLAs) with InforME. The Service Level 
Agreements itemize the services to be performed by InforME and the associated fee. 
InforME is currently authorized 10 staff positions. 

InforME reports annually to the joint standing committee of the Legislature having 
jurisdiction over state and local government matters on the services it offers and the fees it 
charges, along with the criteria for setting fees. In addition, InforME provides an annual 
audit to the Commissioner of the Department of Administrative and Financial Services. 
The Governor or the Legislative Council may request that an additional audit of InforME 
be conducted. 

3. Information Systems Managers Group 

The Information Systems Managers Group (ISMG) was created by the Information 
Services Policy Board in 1996 as a subcommittee to do research and development, and 
provides technical advice to the ISPB. The ISMG consists of all Information Technology 
mangers within State Government, including those from the legislative and judicial 
branches of government. The ISMG's goal is to promote the effective use of information 
technology in state government and the effective management of information technology 
organizations within state government. 

4. Maine Criminal Justice Information System Policy Board 

The Maine Criminal Justice Information System Policy Board (MCJUSTIS) was 
established by the Legislature in 1993 to establish policies and information standards for 
accessing shared, uniform information on criminal offenders and crime data. 39 The board 
consists of 13 members including the Attorney General, the Commissioner of Public 
Safety, the Commissioner of Corrections, the State Court Administrator, the Chief of the 
State Police, the Associate Commissioner for Adult Services within the Department of 
Corrections, the Director of the Bureau of Information Services, a representative of the 
Maine Prosecutors Association, a representative of the Maine Chiefs of Police 
Association, a representative of the Maine Sheriffs Association, a representative of a 
federal criminal justice agency, a representative of a nongovernmental agency that 
provides services to victims of domestic violence and a public member who represents 
private users of criminal offender record information. 



16 MRSA §633. 
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The board reports annually to both the Joint Standing Committee on Criminal Justice and 
the Joint Standing Committee on Judiciary concerning the status of the development, 
implementation and operation of the system. The Department of Public Safety provides 
administrative oversight for the board's policies and responsibilities. 

5. Other electronic information policy boards and positions 

In addition to these State government policymaking boards, the University System 
Network for Education and Technology Services (UNET) has an Information Technology 
Council established to advise UNET, develop goals for how the UMaine system should 
employ information technology to meet the overall goals of the UMaine system for 
teaching, learning and research and development, reviews technology system acquisitions, 
coordinates development of guidelines for standards, training and user support and 
establishes a technology plan for the UMaine system. Also, the Maine School and Library 
Network has an advisory board that oversees the implementation of the Network and 
makes recommendations concerning the Network to the Public Utilities Commission. 

There are also several positions established within state government, including the 
Director of the Bureau of Information Services and the newly created Chief Information 
Officer position, which have responsibilities related to electronic information policies. 

The Director of the Bureau of Information Services (BIS) is appointed by the 
Commissioner of the Department of Administrative and Financial Services. The Director 
of BIS is responsible for supervising data processing throughout State government; 
approving the acquisition and use of equipment; maintaining central telecommunications 
services; protecting information files; and developing and administering written standards 
for data processing and telecommunications. The Director of BIS oversees three 
divisions: Development Services, Network Services, and Production Services. In 
addition, the Director of BIS serves on the InforME board, the Governmental Network 
Board and the Criminal Justice Information Systems Policy Board and provides staff 
assistance to the Information Services Policy Board. The Director of BIS is required to 
report annually to the Joint Standing Committee on Appropriations and Financial Affairs 
on the written standards for data processing and telecommunications that have been 
established by BIS with approval from the ISPB. BIS is an Internal Service Fund, one of 
several within the Department of Administrative and Financial Services, and thus is 
authorized to charge customers for its services based on rates approved by the 
Information Services Policy Board. BIS receives no direct funding. 

During the Second Regular Session, the Legislature approved 40 the creation of a Chief 
Information Officer (CIO) position within the Department of Administrative and Financial 
Affairs (DAFS). The CIO is responsible for establishing technology policy; assisting with 
strategy and planning for the DAFS; establishing technology standards; reviewing 
contracts; and statewide coordination of compliance with the Americans with Disabilities 



FY 2000 Supplemental Budget Bill, Public Law 1999, c. 731. 
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Act (ADA). The Chief Information Officer position is being financed by realigning 
resources and functions within both DAFS and BIS. The CIO reports to the 
Commissioner and is expected to work with the Governor's Office on information 
technology issues. The Office of the CIO includes four positions: the CIO, a secretary 
and two other staff positions. 

IV. FINDINGS and RECOMMENDATIONS 



A. Continuation of Commission Work 
Recommendation: 

The Commission recommends that a study group be convened in the next legislative 
interim to continue work on privacy issues and the coordination of state policy-making, 
to keep informed on developments in Internet use and technology, and to address new 
issues such as use of the Internet in the election process. The study group must be 
composed of parties with interest and expertise in these issues. 

Draft legislation to implement this recommendation is included in Appendix F. 

Finding: 

The Commission finds that the Internet is changing every day, and that policymakers need to 
stay informed about the changes, to monitor developments, and to continue work on 
important issues, such as privacy. Although the Commission makes several recommendations 
in this report about privacy on the Internet, it understands that more work may need to be 
done in the next interim to fully flesh out its proposals. 

B. State Electronic Information Policies 

Recommendation: 

The Commission recommends that the Department of Administrative and Financial 
Services report back to the joint standing committee having jurisdiction over 
information technology matters, the joint standing committee having jurisdiction over 
state and local government matters and the joint standing committee having 
jurisdiction over appropriation matters by February 1, 2001 on coordination of 
electronic information policy-making within State government, including the duties and 
responsibilities of each information board and position, how the boards and positions 
relate, the activities that each board has undertaken and the policies that each board 
has established. The report must include any recommendations from the Department 
of Administrative and Financial Services for streamlining and enhancing coordination 
of the boards and positions, including possible consolidation of the boards and 
positions. In addition, the Department must report on the implementation of privacy 
policies for state agency websites. 



Comprehensive Internet Policy • 25 



Finding: 

There are several boards and positions established within state government that have 
responsibilities for setting policies related to electronic information. The Commission is 
uncertain as to the coordination of those boards and position and their impact on the 
establishment of policies and standards for information technology throughout State 
government. 

C. Consumer Privacy Advocate 
Recommendation: 

The Commission recommends that an independent entity in state government be 
charged with educating consumers about information privacy, advocating for fair 
information practices in the public and private sectors and addressing citizen 
complaints. This would not be a regulatory agency, but an advisory, advocacy and 
technical assistance entity. The entity or position could be established within existing 
resources or could be newly-created. 

Proposed legislation to implement this recommendation, in the form of a concept draft, 
is included in Appendix G. 

Finding: 

The Commission finds that there is no single entity within state government with authority and 
responsibility for protecting the privacy of personal information collected on the Internet or 
otherwise, by public and private entities. The Attorney General and the Bureau of Consumer 
Credit Protection have some authority to protect consumers from fraud and unfair business 
practices, but they do not have responsibility for developing broad policies relating to privacy, 
advocating on behalf of consumers' privacy, educating the public and addressing consumer 
complaints. The Commission finds that there is a need in Maine for such a person, persons or 
entity, and finds that submitting a concept draft to the 120 th Legislature will allow for a broad 
discussion of the concept and consideration of a number of options for fulfilling the function 
of consumer privacy advocate. One member of the Commission, Senator Harriman, supports 
this recommendation only if the advocate function is performed with existing resources. 
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D. Notice of State and Local Government Information Practices 



Recommendation: 

The Commission recommends that the Legislature enact a law requiring state and local 
governments to adopt policies governing their collection and handling of personal 
information on the Internet and to include notice of those policies on their websites. 

Draft legislation to implement this recommendation is included in Appendix H. 

Finding: 

State and local governments can improve citizen comfort with doing government business 
over the Internet - and can serve as a role model for private websites - by developing policies 
for collecting and handling personal information and posting their policies on their websites. 
A handful of other states - including Virginia, California and Minnesota - require state 
websites to include such notices. In those states, the notices must address a number of issues, 
including what information is being collecting, how it will be used, who has access to it, and 
how information can be corrected. Maine government websites should follow suit. The 
Commission understands that the Department of Administrative and Financial Services is 
developing model policies for use on state websites. 

E. Development of a Comprehensive Fair Information Practices Law 
Recommendation: 

The Commission recommends that the study group proposed in Recommendation A 
examine options for enacting a comprehensive privacy act governing collection and 
management of personal information by state and local governments via the Internet or 
any other method, and that the Commission draft and recommend such an act to the 
2 nd Regular Session of the 120 th Legislature. The act must include a provision for an 
audit of adherence to the requirements of the act, following a phase-in period. 

This recommendation is included in the draft legislation for Recommendation A, which 
is found in Appendix F. 

Finding: 

Maine currently has no general law requiring state or local agencies to protect citizens' 
personal information. Several states and the federal government have comprehensive privacy 
laws that adhere to the Fair Information Practice principles by providing notice, access, 
choice, integrity and enforcement. The rise of the Internet and the related increase in concerns 
about privacy is the appropriate time for Maine policymakers to examine options for enacting 
a comprehensive code of fair information practices. A study group, as recommended in 
recommendation A can conduct such an examination, with the goal of drafting and 
recommending a comprehensive privacy act for enactment in the 2 nd Regular Session of the 
120 th Legislature. 
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F. Uniform Computer Information Transactions Act (UCITA) 



Recommendation: 

The Commission recommends that the Legislature take no immediate action on the 
Uniform Computer Information Transactions Act (UCITA). 

Finding: 

The Uniform Computer Information Transactions Act (UCITA) was adopted by the National 
Conference of Commissioners on Uniform State Laws as a proposed new commercial law for 
creating, modifying, transferring or licensing computer information. UCITA is a complex law 
with a pervasive impact on software developers, consumers and businesses. There are many 
groups who oppose UCITA. The Commission does not support the implementation of 
UCITA at this time and the Commission further advises the Legislature that any proposal to 
adopt UCITA in Maine requires extensive review and analysis 

G. Monitoring Implementation of the Uniform Electronic Transactions Act 
Recommendation: 

The Commission recommends that state agencies continue to review and track the 
impact on consumers and businesses of state and federal laws relating to electronic 
transactions. 

Finding: 

Maine's enactment of the Uniform Electronic Transactions Act (UETA) clears some of the 
legal barriers that might have slowed the development of electronic commerce and electronic 
government in the State. It gives electronic signatures and electronic records the same legal 
validity as manual signatures and paper records. A federal law governing the same matters 
was passed after Maine enacted UETA, and may have some impact on electronic commerce 
and government in Maine. In particular, some of the provisions of the federal law may impact 
consumer notice provisions and state agency choices in the matter of electronic records. State 
agencies, especially those with roles in consumer protection, should pay attention to the 
impact of UETA and E-Sign and the relationship between the two. 

H. Include Information Collection and Handling in the Government Evaluation Act 

Recommendation: 

The Commission recommends that the State Government Evaluation Act be amended 
to include review of an agency's implementation of information technologies, their 
information collection and handling policies and practices, and how well those policies 
and practices adhere to the Fair Information Practice Principles of notice, choice, 
access, integrity and enforcement. 
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Draft legislation to implement this recommendation is included in Appendix I. 



Finding: 

Governmental agencies, boards and commissions undergo an evaluation process every 10 
years under the State Government Evaluation Act, 3 MRSA c. 35 (§§951 963). Part of the 
process is a self-evaluation by the agency, board or commission covering a list of issues set 
forth in the Act. Commission members felt that this would be an appropriate tool for the 
agencies, boards and commissions to review and evaluate implementation of electronic 
information technologies, their information practices, and for the Legislature to review how 
well the agency, board or commission met its information needs while also protecting public 
privacy. An appropriate standard by which to judge performance is the Fair Information 
Practice Principles of notice, choice, access, integrity and enforcement. 

I. Maine Governmental Information Network 
Recommendation: 

The Commission supports the Maine Governmental Information Network initiative as 
established by Public Law 1999, chapter 428 and supports providing assistance to 
municipalities to enhance their ability to offer services and information through the 
Internet. The Commission recommends that the study group established in 
Recommendation A evaluate the success of the "Rapid Renewal" pilot project being 
undertaken by InforME, the Secretary of State's Office and 10 Maine municipalities, 
and recommend funding, if any, for the Maine Governmental Information Network. 

Finding: 

Currently, there are many municipalities in Maine who do not have an online presence. The 
Commission finds that in order to adequately serve the citizens of Maine in the electronic age, 
local governments need to enhance their ability to offer online access to information and 
services for their citizen. One member of the Commission, Senator Harriman, supports 
providing technical assistance to municipalities, but not funding. 
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RESOLVES of 1999 
CHAPTER 89, 
as amended by Public Law 1999, chapter 762, section 3 

S.P. 763 - L.D. 2155 

Resolve, to Establish the Blue Ribbon Commission to 
Establish a Comprehensive Internet Policy 

Emergency preamble. Whereas, Acts and resolves of the Legislature do not become 
effective until 90 days after adjournment unless enacted as emergencies; and 

Whereas, the Internet and its use continues to grow and it is essential to ensure delivery of 
social and economic benefits to the State; and 

Whereas, it is necessary to consider what type of statewide computing and 
communications investment strategy will stimulate public investment and create more 
opportunities and incentives for information technology business to locate in the State; and 

Whereas, it is imperative to address how to develop and maintain a highly qualified 
information technology workforce to support business growth; and 

Whereas, it is essential to create a business and regulatory policy that will ensure that 
Maine is an attractive location for information technology companies and their employees; and 

Whereas, in the judgment of the Legislature, these facts create an emergency within the 
meaning of the Constitution of Maine and require the following legislation as immediately 
necessary for the preservation of the public peace, health and safety; now, therefore, be it 

Sec. 1. Commission established. Resolved: That the Blue Ribbon Commission to Establish 
a Comprehensive Internet Policy, referred to in this resolve as the "commission," is established; 
and be it further 

Sec. 2. Commission membership. Resolved: That the commission consists of 12 
voting members and 6 nonvoting members. 

1. The commission consists of 12 voting members as follows: 

A. Three members of the Senate, at least one of whom is a member of the Joint 
Standing Committee on Business and Economic Development, appointed by the 
President of the Senate; 

B. Two members of the House of Representatives, at least one of whom is a member 
of the Joint Standing Committee on Business and Economic Development, appointed 
by the Speaker of the House; 

C. One representative of the large Internet service providers industry, appointed by 
the President of the Senate; 



D. One representative of the small Internet service providers industry, appointed by 
the Speaker of the House; 

E. One representative of the Maine Software Developers Association, appointed by 
the Speaker of the House; 

F. One representative of the telecommunications industry, appointed by the President 
of the Senate; 

G. One representative of the cable television industry, appointed by the Speaker of the 
House; 

H. One representative of the Maine Bar Association, appointed by the President of the 
Senate; and 

I. One representative of the Maine Civil Liberties Union, appointed by the Speaker of 
the House. 

2. The commission consists of 6 nonvoting members as follows: 

A. One representative of the University of Maine System, appointed by the 
Chancellor of the University of Maine System; 

B. The Commissioner of Economic and Community Development or the 
commissioner's designee; 

C. The Secretary of State or the secretary's designee; 

D. The State Librarian or the State Librarian's designee; 

E. One representative of the Public Advocate's Office, appointed by the Governor; 
and 

F. One representative of the Public Utilities Commission, appointed by the Governor. 

Sec. 3. Appointments; meetings. Resolved: That all appointments must be made no 
later than 30 days following the effective date of this resolve. The Executive Director of the 
Legislative Council must be notified by all appointing authorities once the selections have been 
made. Within 15 days after appointment of all members, the Chair of the Legislative Council 
shall call and convene the first meeting of the commission. The first named Senate member is 
the Senate chair and the first named House member is the House chair; and be it further 

Sec. 4. Duties. Resolved: That the commission shall study issues related to the future of 
information technology in the State, including, but not limited to: 

1. The facilitation of electronic commerce for Maine citizens and businesses; 



2. Making government more accessible to the citizens; 



3. The use of the Internet and related technologies to improve education throughout the 
State; 

4. The protection of Internet users' and citizens' privacy; 

5. The mitigation of Internet abuses including transmission of unsolicited bulk e-mail or 
spam; 

6. The regulation of hate mail and pornography; 

7. The elimination of electronic crimes; 

8. The promotion of Internet access for citizens throughout the State; and 

9. The promotion of business development in the areas of electronic, Internet-based and 
information technology businesses throughout the State; and be it further 

Sec. 5. Staff assistance. Resolved: That the commission may request staffing assistance 
from the Legislative Council; and be it further 

Sec. 6. Compensation. Resolved: That legislative members are entitled to receive the 
legislative per diem and reimbursement of necessary expenses for their attendance at 
authorized meetings of the commission; and be it further 

Sec. 7. Report. Resolved: That no later than December 1, 1999, the commission shall 
submit its initial report, together with any necessary implementing legislation, to the Joint 
Standing Committee on Business and Economic Development of the 1 19 th Legislature and the 
Executive Director of the Legislative Council. The Joint Standing Committee on Business and 
Economic Development is authorized to report out a bill during the Second Regular Session of 
the 119th Legislature concerning the findings and recommendations of the commission. 

The Commission is authorized to meet following the conclusion of the Second Regular Session of 
the 119 th Legislature to continue its work. The commission shall end its work by November 15, 
2000. The commission shall submit its 2 nd report, together with any necessary implementing 
legislation, to the First Regular Session of the 120 th Legislature. 

If the commission requires an extension, it may apply to the Legislative Council, which may 
grant the extension; and be it further 

Sec. 8. Appropriation. Omitted 

Emergency clause. In view of the emergency cited in the preamble, this resolve takes 
effect when approved. 
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Global and National Commerce Act (E-Sign) 



November 1, 2000 



To: Blue Ribbon Commission to Establish a Comprehensive Internet Policy 
From: Deborah C. Friedman, Esq., Senior Legislative Analyst 

Re: Impact of Federal "E-Sign" on Maine UETA and other Maine Law 



At the urging of the Blue Ribbon Commission to Establish a Comprehensive Internet 
Policy, the Maine Legislature in 2000 passed and the Governor signed the Uniform 
Electronic Transactions Act (UETA). 1 Maine-UETA validates electronic records and 
electronic signatures by granting them the same status under law as paper records and 
manual signatures in business, governmental and commercial transactions, provided the 
parties to the transaction have agreed to conduct the transaction electronically. 

Later in 2000, Congress passed and the President signed the "Electronic Signatures in 
Global and National Commerce Act," popularly known as "E-Sign." E-Sign also 
validates electronic records and signatures, but differs in some respects from UETA. E- 
Sign preempts most state laws, with two exceptions. E-Sign does not preempt UETA, 
nor does it preempt non-UETA laws that are consistent with E-Sign, are technology- 
neutral and, if enacted or adopted after E-Sign was enacted, make specific reference to E- 
Sign. 3 

Despite the general non-preemption of UETA, E-Sign does have an impact in Maine and 
other UETA states. First, it invalidates exemptions that are not consistent with UETA or 
E-Sign. Second, it invalidates state laws that require non-electronic delivery of records, 
such as mailing requirements for consumer notices. Finally, it may limit a state agency's 
ability to impose additional requirements on filings or records retention. This memo 
reviews some of the ways in which E-Sign impacts Maine law. 

Exemptions 

Neither UETA nor E-Sign applies to contracts and records governed by laws relating to 
wills, codicils and testamentary trusts or by the Uniform Commercial Code, other than 
Articles 2 and 2A and sections 1-206 and 1-207. 4 As adopted in Maine, the UETA itself 
did not include any other exemptions. But in a separate piece of legislation put forth by 



1 Public Law 1999, c. 762, sec. 2, effective August 11, 2000. This law is codified at 10 MRSA c. 1051. 

2 P.L. 106-229, generally effective October 1, 2000. Referred to in notes as "E-Sign" 

3 E-Sign, section 102(a)(1) and 102(a)(2) 

4 10 MRSA §9403, sub-§2, ffA and B. E-Sign section 103(a)(1) and 103(a)(3) 



the Judiciary Committee, records purporting to affect title to real property and powers of 
attorney were exempted from the coverage of any law that validates electronic records 
and signatures. 5 

Because these exemptions are not part of the uniform UETA, they must be evaluated 
under section 102(a)(2) of E-Sign to determine whether they are preempted by E-Sign. 
E-Sign preempts any non-UETA law that bases validity of electronic records or 
signatures on alternative procedures or requirements, unless the procedure or requirement 
is consistent with E-Sign, is technology-neutral and, if enacted after E-Sign, makes 
specific reference to E-Sign. 6 Neither of the 2 additional exemptions in Maine-UETA are 
consistent with E-Sign and are therefore preempted. It is worth noting, however, that real 
estate records and powers of attorney are subject to UETA only if they are part of a 
business, governmental or commercial transaction in which the parties have agreed to 
conduct business electronically. 7 

If state policy-makers wish to consider additional exemptions to UETA in the future, they 
must determine whether the exemption is included in E-Sign. At the moment, those 
exemptions include the following: records relating to adoption, divorce and other matters 
of family law; court orders or notices; documents for transporting hazardous wastes; and 
a number of consumer notices including utility cut-off notices, default, eviction or notice 
to cure mortgage agreements, product recalls, and insurance cancellation. Note, however, 
that these exemptions are subject to review by the Secretary of Commerce and by federal 

Q 

regulatory agencies to determine whether the exemptions are necessary. 
Consumer Disclosures and Notices 

Although Maine UETA provides that electronic records and electronic signatures have 
the same legal force as paper records and manual signatures, Maine UETA also provides 
that laws requiring that notices be posted, displayed, delivered or formatted in a certain 
manner are still valid. 9 For example, even if the parties have agreed to conduct a certain 
transaction electronically, if a law requires certain records to be delivered by first class 
mail, return receipt requested, that law must be complied with, even if it means putting a 
computer disk in the mail. 

E-Sign, however, specifically prohibits states from using that UETA section to 
"circumvent" E-Sign by imposing non-electronic delivery methods. 10 So any Maine law 
that requires non-electronic delivery of records is invalidated by E-Sign. There is some 
question as to whether non-electronic delivery laws relating to records excluded from E- 



5 Public Law 1999, c. 711, codified at 33 MRSA §331, 18-A MRSA §5-509 and 5-802 

6 E-Sign section 102(a)(2) 

7 See Drafting Comments to the Uniform Electronic Transactions Act, section 2, subsection 12, which notes that "a 
transaction must include interaction between 2 or more persons. Consequently, to the extent that the execution of a 
will, trust or health care power of attorney or similar health care designation does not involve another person and is a 
unilateral act, it would not be covered by this Act because not occurring as a part of a transaction as defined in the 
Act." 

8 E-Sign section 103(c) 

9 10 MRSA §9408, sub-§2 

10 E-Sign, section 102(c) 



Sign are still valid. For example, E-Sign does not apply to consumer utility cut-off 
notices, so a law requiring mailing and return receipt for such notices is not inconsistent 
with E-Sign and may still be valid. Commentators have not remarked on this possibility. 

Interestingly, E-Sign includes a provision that limits use of electronic methods to provide 
notices. If a law enacted prior to E-Sign requires verification or acknowledgement of 
receipt, that law can be complied with electronically only if the method used provides 
verification or acknowledgement of receipt, whichever is required. 11 If Maine policy- 
makers are concerned about E-Sign' s invalidating non-electronic delivery methods, they 
might consider placing in Maine law a similar provision to that found in E-Sign. Since it 
is consistent with E-Sign and is technology-neutral, there should not be a problem with 
preemption. 

State Agency Regulatory Powers 

The third area in which E-Sign impacts Maine law is the ability of state agencies to 
regulate the use of electronic records and signatures in their regulatory roles. State 
agencies have many different relationships to records. First, state agencies use records in 
their procurement activities. UETA and E-Sign clearly allow states to continue to set 
their own standards for these types of records. 12 

Second, state agencies maintain and create their own records for internal activities, and 
there doesn't seem to be any dispute that they have the right to make their own decisions 
about those records. 

Third, state agencies receive filings and other records from 3 rd parties that are created 
solely to send to the agency, e.g., corporate filings, workers' compensation reports of 
injury and occupational licensing applications. UETA clearly allows state agencies to 
determine whether, and the extent to which, it will send and accept electronic records and 

1 3 

electronic signatures to and from other persons. There is some doubt at least with some 
commentators, whether E-Sign impacts this choice. 

Fourth, state agencies often impose record-keeping and retention standards on businesses 
that they regulate, such as insurance companies and banks. Records are retained for a 
certain period of time to enable regulators to audit files or to serve as evidence if the 
company's actions are challenged. UETA provides that laws enacted before passage of 
UETA may not be used to prohibit electronic record retention, provided the method of 
retention meets the standards set forth in UETA to ensure integrity and future access. A 
state may, however, reimpose non-electronic standards if it enacts a law after the 
effective date of Maine UETA that specifically prohibits the use of an electronic record 
for the specified purpose. 



11 E-Sign, section 101(c)(2)(B) 

12 10 MRSA §9418. E-Sign section 102(b) 

13 10 MRSA §9418, sub-§l 



E-Sign section 104, which generally governs application of the law to federal and state 
governments, limits state regulatory agency powers to impose a requirement that records 
be in a tangible printed or paper form, although they retain the ability to set standards for 
accuracy, integrity and accessibility. Most commentators appear to believe that section 
104 is not applicable in states that have adopted UETA, 14 although one notable 
commentator — Professor Patricia Fry, chair of the drafting committee for UETA — 
believes that the limitations of section 104 do apply even in UETA states. 15 This is one 
area of the law that may need clarification on the federal level. If section 104 of E-Sign 
does apply in UETA states, state agencies will be limited in their ability to require non- 
electronic retention of records. 

Finally, any effort by the Legislature or by state regulatory agencies to impose 
requirements on records and signatures in transactions between private parties will have 
to be measured against E-Sign as well as UETA. 

SUMMARY 

Federal E-Sign invalidates the Maine law that removes powers of attorney and real estate 
records from the coverage of UETA. Therefore, electronic real estate records and powers 
of attorney are valid if they are used in business, governmental or commercial 
transactions. Any additional exceptions to UETA must be evaluated to see if they are 
consistent with E-Sign. 

Maine laws that require non-electronic delivery of records, such as requirements to mail 
notices with return receipt requested, are invalid under E-Sign to the extent they 
"circumvent" E-Sign. It is not clear whether such laws relating to records excluded from 
E-Sign continue to be valid. If so, then mailing requirements for product recalls, utility 
shutoff notices and certain insurance and credit notices would continue to be valid. In 
order to save some of the protections that may be provided by certain delivery laws, 
Maine may want to consider enacting an E-Sign provision that saves requirements for 
verification or acknowledgement of receipt. 

It is unclear whether E-Sign limits a state agency's ability to require 3 rd parties to retain 
records in non-electronic form, an option that UETA preserves. Even UETA, though, in 
an effort to ease the way for businesses to keep records electronically, requires states to 
re-enact any law that requires non-electronic records retention. 

Finally, any law or rule relating to records and signatures used in business, governmental 
or commercial transactions must be evaluated in light of E-Sign. 

G:\OPLALHS\LHSSTUDMnternet\UETAESIGN#2.doc 



See, e.g., Whittier, "What Governors Need to Know About E-Sign", p. 6. Prepared for the National Governors 
Association, September 22, 2000. 

15 Fry, "A Preliminary Analysis of Federal and State Electronic Commerce Laws." Found at 
www.nccusl.org/uniformact_articles/uniformacts-article-ueta.htm 



APPENDIX D 
List of Internet Privacy Technology Tools 



PRIVACY 

TECHNOLOGY 
IN THE DIGITAL AGE 



-VERSION 1.0- 



With technology permeating every aspect of daily life, consumer demand for privacy has created a flourishing marketplace for innovative, privacy-enhancing 
technologies. The products and services described here give users unprecedented control over the information they share. These tools are easy to find, often free, and 

the first fruit of a vibrant privacy marketplace. 



SURF ANONYMOUSLY 



Anonymity 4 Proxy 



Anonymizer 



Uses network of hundreds of fast proxy servers to protect identity. Allows 
user to create fake address, block or alter browser information, share 
anonymous connections with others. 

Acts as intermediary between user and Web site, go to Anonymizer Web 
site and begin surfing from the site. Control panel allows anonymous 
access to sites. Free for basic service. 



www.intelprivacy.com 



www.anonymizer.com 



Prices subject to change; based on Web 
site information 9/00. 

$35.00 



$14.99 

3 mos. premium service 



Internet Junkbuster Proxy 



Naviscape 



Privada Proxy 



Blocks requests for Internet files that match customizable "block file." 
Blocks unauthorized cookies. Users share information about which sites 
collect personal data and should be blocked. 

A browser plug-in to protect privacy and speed browsing. Allows user to 
manage delivery of cookies, banner ads or other Web objects. Employs 
"prefetching" of content to speed Web page delivery. 

Web Incognito encrypts requests for Web pages and routes through the 
Privada network; cookies are given a network profile rather than a personal 
one. Messaging Incognito extends privacy to email. 



www.iunkbusters.com 



www.naviscope.com 



www.privada.com 



Free 



Free 



$5.00/month 



PURCHASE ANONYMOUSLY 



ZixCharge Transaction authorization system using "charge slips" to conceal personal www.zixcharge.com Free 

information while purchasing online. Software routes purchase through 
account and masks personal identity. 
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MANAGE COOKIES 



AOL Netscape Cookie Manager 
Buzof 

Complete Cleanup 
Cookie Crusher 
Cookie Master 
Cookie Pal 
Cookie Terminator 
Cookie Web Kit 
Internet Explorer 5.5 

NoCookie 

NSClean & IEClean 
PGPcookie.cutter 



Allows users to view, block and delete cookies based on privacy 
preferences. 

Automatically answers, closes, minimizes recurring windows, including 
cookie prompts. 

Software allows user to delete cookies cache files, URLs and non-Internet 
files, including "recent document" list. 

Software automates cookie refusal, refuses all later requests from same 
site. 

Software tracks cookies in browser, displays cookie details, logs cookies 
activity. 

Automatically accepts or rejects cookies, allows viewing of stored cookies, 
customizable. 

Manages hidden cookies, set to automate cookie termination, shows where 
cookies on system have originated. 

Software that deletes cookies manually or automatically; also deletes cache 
directory and history logs. 

Enhanced cookie controls let users delete all cookies and provide detailed 
data when third-party Web sites try to place cookies. Allows users to 
designate preferences. 

Cookie management for MAC OS, disables Netscape cookies, inspects 
cookie information. 

Rids cookies from Netscape or Internet Explorer. Enables use alias, 
deletes bookmarks, history base, erases newsgroup activities. 

Collects all cookies, keeps cookies secure until user decides to share data 
or disable the cookie. 



Free to AOL members 



www.basta.com $15.00 

www.softdd.com $30.00 

www.thelimitsoft.com 30 days Free 

www.barefootinc.com Free 



www.kburra.com $15.00 

www.4developers.com $14.95 

www.cookiecentral.com Free 

www.microsoft.com Free 



www.onepiotoh.com Free 
www.nsclean.com $40.00 
www.pgp.com $19.95 
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ENCRYPT EMAIL 



Disappearing Email 



Encrypts email and allows user to control who accesses the email and for 
how long. Time-sensitive keys located in Disappearing Inc. server. 
Message expiration dates customizable. 



www.disappearing.com 



Free 



HushMail 



Web-based service offering 1,024-bit encryption of email and attachments. 
Can set up alternate email address and notification system. Source code 
released to cryptographic community. 



www.hushmail.com 



Free 



PGP (Pretty Good Privacy) 



One of first cryptography products to encrypt private email. Available 
through MIT. Works as plug-in with major software platforms. 
Compatible with Microsoft Outlook and Eudora Pro. 



www.mit.edu/network/pgp.html 



Free 



ZipLip Mail 



Uses database storage model to maintain security, includes "digital 
shredding" option, protections against unwanted printing, cutting and 
pasting of text. Web-based, records kept on ZipLip server. 



www.ziplip.com 



Free 



MANAGE YOUR IDENTITY 



Digitalme 



Uses "business card" to manage personal information, complete online 
forms and store passwords for various Web sites. Auto fill-in. User can 
maintain different cards to deliver tailored information to various sites. 



www.digitalme.com 



Free 



Freedom 



Persona/Child Persona 



Three components in software allow users to create pseudonyms for online www.freedom.net 
use, encrypts all online activities performed under pseudonym, routes 
messages through Freedom Network servers. 

PersonaAgent software installed on user's computer protects all www.privaseek.com 
information behind a password; allows auto fill-in of forms; tools to 
manage online identity. Separate program designed for children. 



$49.95 



Free 



PLATFORM FOR PRIVACY 
PREFERENCES (P3P) 



The World Wide Web Consortium, made up of 400 leading technology 
companies, has created a new programming language to enhance greater 
individual control over privacy. Under P3P, Web site will have privacy 
policies imbedded into each page. Users will surf with P3P-enabled 
browsers, set with their privacy preferences. The browser will then 
automatically let them know if a Web site has practices at odds with the 
users' wishes. 



Privacy Companion 



Orby Privacy Plus 



Allows you to see who has placed a cookie, either a site or "third party" 
advertising company or profiler. 

Permission-based personalization software that allows users to select 
settings: private, cautious, trusting and open. 



www.idcide.com 



www.youpowered.com 



Free 



Free 



Sponsored by The Privacy Leadership Initiative: American Association of Advertising Agencies, Association of National Advertisers, AT&T, Compaq Computer, Dell Computer Corporation, Direct Marketing Association, 
DoubleClick, Inc., E*TRADE, European-American Business Council, Eastman Kodak Company, Engage, Experian, Ford Motor Company, Harris Interactive, Internet Advertising Bureau, IBM, Intel Corporation, 
Information Technology Industry Council, Kraft Foods, Inc., National Association of Manufacturers, NetCoalition.com, Network Solutions Inc., Online Privacy Alliance, Procter & Gamble, Sony, Travelocity.com, US Bank 
Corp. 



www.understandingprivacv.com 
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APPENDIX E 
State Electronic Policymaking Bodies Chart 



State Government Electronic Information Policymaking Bodies 



Legislature 

Legislative Council 



I 



Executive 
Director 

and 
Director, 
Informatio 
n Services 
Office 



I 



Committees 
of 

Jurisdiction 



Commissioner, 
Administrative 
and Financial Services 

chair of ISPB board 
serves on InforME board 



Executive 

Governor 



Director of BIS - Powers and Duties 
(5 MRSA §1886) 

supervise data processing 

approve acquisition and use of equipment 

maintain central telecommunications services 

develop and administer written standards for 

data processing and telecommunication 

(must be approved by the ISPB board) 

serve as contracting authority for InforMe 

provide staff for InforME 

serves on InforME board, Govt Network 

Board and MCJUSTIS Policy Board 

protection of information files 

assist the ISPB board 

reports to AFA Committee each year, 

including a compilation of written standards 

for data processing and telecommunications 



KEY: 

• direct relationship 

• Reporting 
relationship 

• appointing 
authority 



1 



Commissioner, 
Department of 
Public Safety 



Chief Information 
Officer 

• technology 
policy 

• strategy and 
planning 

• standards 

• contract review 

• ADA 
coordination 

• legislative 
liaison 



MCJUSTIS Policy 
Board (created in 1993) 

(16 MRSA §633) 

• establish policies and 
practices to access 
crime data 

• establish information 
standards 

• report to the 
Judiciary and 
Criminal Justice 
committees 

• 13 members 
including 
Commissioners, 
Attorney General, 
Director of BIS, 
representatives from 
the legal community 
and law enforcement 



Information Services Policy Board (created in 1991) (5 MRSA §1891) 
1 1 voting members, including 5 from state agencies and 6 appointed by 
the Governor and 8 advisory members appointed by MSHA, FAME, 
MTA, MSRS, UMaine system and one from the Legislature's 
information services office appointed by Legislative Council; chair is 
appointed by the Governor from an Executive Dept 
establishes written standards governing GIS, data processing and 
telecommunications 
assists in strategic planning for DAFS 
assists in establishing goals and priorities for DAFS 
assists in the development and approves rules, policies and fees 
reviews information processing and telecommunications operations in 
State government 

Legislature and Judiciary are not subject to ISPB actions 



ISPB Subcommittees 

• Information 
Services Managers 
Group 

• Access 
subcommittee 

• GIS Steering 
Committee 



InforME (created in 1998) 

(1 MRSA §531) 
Network manager contract 
approved by InforMe board 
with assistance from BIS 
provides application 
development and 
marketing services to state 
agencies 

reports annually to SLG 
Committee on services, 
fees and criteria 
provides annual audit to 
DAFS, 

Governor and Legislative 
Council may request an 
additional audit 



InforME Board 

15 members including 
Director of BIS, 
Commissioner of DAFS, 
UMaine system, 
municipalities, non-profit 
citizen's rights organization 
and libraries and 2 public 
members appointed by the 
Speaker and President 
staffed by InforME and Sec. 
of State's Office 
establish InforME policies 
and criteria 

approve premium services 

fees, including interagency 

agreements 

approve contract with 

Network Manager 

Chaired by the Sec. of State 



State (Government and (Jtner Electronic Policymaking Boards 



Legislature 

Legislative Council 



I 



Executive 
Director and 

Director, 
Information 
Services 
Office 



I 



Executive 

Governor 



Committees 
of 

Jurisdiction 



I 



Public Utilities 
Commission 



TV 



Maine Schools and 
Libraries Network 
(MSLN) 

created in 1996 

7K 



Government Information Network 
Board (not currently funded) 

• 7 members: Secretary of State, 
Director of BIS, 3 members 
appointed by the Governor, and 
two public members appointed 
by the President and Speaker 

• administrative support from 
Secretary of State's Office 

• established to oversee electronic 
data exchange among state and 
local governments 

• oversees the network that 
connects the individual 
municipal governments and other 
govt, service providers 

• provides grants to municipalities 



Maine Schools and Libraries 
Network Advisory Group 

• includes representatives from 
the PUC, Public Advocate, 
Bell Atlantic, independent 
telephone companies, Internet 
service providers, Department 
of Ed., State Librarian and 
cable companies 

• makes recommendations to 
the PUC for approval on all 
major aspects of the MSLN 



Prepared by the Office of Policy and 
Legal Analysis 



University of Maine 
System 



University of Maine 
System Network for 

Eduation and 
Tehnology Services 
(UNET) 

formed in 1997 

7K 



University of Maine System 
Information Technology Council 

(established in 1999) 

• includes representatives from 
each University appointed by 
the University Presidents, 
representatives from the 
President's Council, Chief 
Academic Officers and 
representatives from other key 
leadership areas in the System 

• chaired by the Executive 
Director of UNET and staffed 
by UMS staff 

• develops goals for how the 
UMS should employ 
information technology to 
meet goals for teaching and 
learning, research and 
development, and goals of 
each campus 

• establishes a technology plan 
for the System 

• reviews technology systems 
acquisitions 

• coordinates development of 
guidelines for standards, 
training, user support and 
application development 



APPENDIX F 
Draft Legislation to Continue Commission Work 



APPENDIX G 
Concept Draft to Establish a Consumer Privacy Advocate 



APPENDIX H 

Draft Legislation on Notice of State and Local Government 
Information Practices 



APPENDIX I 

Draft Legislation to Amend the Government Evaluation Act 



Recommendation A 

Continue to Study Privacy and Other Internet Issues - RESOLVE 



RESOLVE, to Create a Study Commission to Review Internet and Information Policy 

Preamble. Whereas, the Internet continually presents new opportunities and new 
challenges to policy-makers and the public; and 

Whereas, concerns about the collection of information on the Internet have caused policy- 
makers to examine governmental policies regarding the collection and use of personal information 
via the Internet as well as by more traditional means; and 

Whereas, the Legislature believes that commissions consisting of policy-makers and other 
interested parties provide the best forum for discussing these issues and promoting solutions; 
now, therefore, be it: 

Sec. 1. Commission established. Resolved: That the Blue Ribbon Commission to 
Review Internet and Information Policy, referred to in this resolve as the "commission" is 
established; and be it further 

Sec. 2. Commission membership. Resolved: That the Commission consists of 12 
voting members and 7 non- voting members. The voting members are as follows: 

A. Three Senators, one from the Joint Standing Committee on Business & Economic 
Development, appointed by the Senate President; 

B. Two House members, one from Joint Standing Committee on Business & Economic 
Development, appointed by the House Speaker; 

C. One representative of the Internet service provider industry, appointed by the Senate 
President; 

D. One representative of a Maine-based company providing commercial services over the 
Internet, appointed by the Speaker; 

E. One representative of the Maine Software Developers Association, appointed by the 
Speaker; 

F. One representative of the telecommunications industry, appointed by the Senate 
President; 



G. One representative of the cable television industry, appointed by the House Speaker; 



H. One representative of the Maine Bar Association, appointed by the Senate President; 
and 

I. One representative of the Maine Civil Liberties Union, appointed by the House 
Speaker. 

The 7 nonvoting members are as follows. 

A. One representative of the University of Maine system, appointed by the chancellor of 
the University of Maine System; 

B. The Commissioner of Economic and Community Development or the commissioner's 
designee; 

C. The Chief Information Officer, Department of Administrative and Financial Services, or 
the Chief Information Officer's designee; 

D. The Secretary of State or the Secretary's designee; 

E. The State Librarian or the State Librarian's designee; 

F. One representative of the Public Utilities Commission, appointed by the Governor; 

G. One representative of the Public Advocate's Office, appointed by the Governor; and 
be it further 

Sec. 3. Chairs. Resolved: That the first-named Senate member is the Senate chair. The 
first-named House member is the House chair; and be it further 

Sec. 4. Appointments; convening meetings. Resolved: That all appointments must be 
made no later than 30 days following the effective date of this Resolve. The appointing authorities 
must notify the Executive Director of the Legislative Council upon making their appointments. 
When the appointment of all members is complete, the chairs shall call and convene the first 
meeting of the Commission; and be it further 

Sec. 5. Duties. Resolved: That the Commission shall study issues relating to the Internet 
and information policy, including the following: 

A. Internet users' concerns about privacy of information collected on the Internet by 
commercial and governmental websites; 

B. Development of a comprehensive information practices act governing collection and 
management of personal information by state and local governmental entities; 



C. Coordination of the state's Internet policy-making structures; 



D. The possibility of using the Internet to assist in the election process; and 

E. Other issues described in the charge to the Blue Ribbon Commission to Establish a 
Comprehensive Internet Policy, created by the 1 19 th Legislature; and be it further 

Sec. 6. Staff assistance. Resolved: That upon approval of the Legislative Council, the 
Office of Policy & Legal Analysis shall provide necessary staffing services to the Commission; and 
be it further 

Sec. 7. Compensation. Resolved: That legislators who are members of the commission 
are entitled to receive legislative per diem, as defined in the Maine Revised Statutes, Title 3, 
section 2 and reimbursement for travel and other necessary expenses for attendance at meetings of 
the commission; and be it further 

Sec. 8. Report. Resolved: That the commission shall submit a report of its findings and 
recommendations, including any recommended legislation, to the 2 nd Regular Session of the 120 th 
Legislature by December 1, 2001. If the commission requires an extension of time to makes its 
report, it may apply to the Legislative Council, which may grant the extension. 

SUMMARY 

This Resolve creates a commission to study Internet and information policy issues, 
including privacy, use of the Internet in the election process such as use for registration or voting, 
development of a comprehensive information practices act and other issues. 



Recommendation C 

Consumer Advocate - Concept Draft 



An Act to Create a Resource within State Government to Protect the Privacy of Personal 
Information 

SUMMARY 

This bill is a concept draft providing for a person or persons within state government to protect 
the privacy of personal data about the people of Maine. The person would not have regulatory 
authority, but would be charged with the following duties: 

• conduct research and studies, gather facts and evaluate procedures regarding the treatment 
of personal data by public and private entities; 

• investigate complaints about information confidentiality, make recommendations for 
policy, rule and legislative changes, where appropriate, and make referrals to, and 
cooperate with, enforcement entities; 

• advise, consult and assist the legislative and executive branches of government on 
development of policies and procedures related to confidential personal data; 

• coordinate communication and cooperation among components of state government; and 

• educate the public about the status of personal data and how to protect their privacy. 

The person performing this function must be in a position that, to the greatest extent possible, is 
not subject to political or economic pressure. This person would have authority to maintain the 
confidentiality of information in his or her possession. 



Recommendation D. 

Legislation - An Act to Require Notice of Information Practices on State and Local 
Government Websites 

Sec. 1. 1 MRSA C.14-A is enacted to read: 

CHAPTER 14- A 
NOTICE OF INFORMATION PRACTICES 

§551. Definitions. 

As used in this chapter, unless the context otherwise indicates, the following terms have 

the following meanings. 

1. Personal information. "Personal information" means information about a natural 

person that is readily identifiable to that specific person. 

2. Public entity. "Public entity" means: 

A. The Legislature; 

B. The Judicial Department; 

C. A state agency or authority; 

D. The University of Maine System, the Maine Maritime Academy, and the Maine 
Technical College System; 

E. A county, municipality, school district or any regional or other political or 
administrative subdivision; and 

F. An advisory organization established, authorized or organized by law or resolve or 
by Executive Order issued by the Governor. 

§552. Notice of Information Practices 

Each public entity that has a website associated with it shall develop a policy regarding its 
practices relating to personal information and shall post notice of those practices on its website. 
The policy must include the following: 

1. Information collected. A description of the personal information collected on the 
website; 



2. Use and disclosure of information. A summary of how the personal information is 
used by the entity, and the circumstances under which it may be disclosed to others; 

3. Choice. The extent to which the user has a choice of whether to provide personal 
information via the website and the consequences of refusing to give that information; 

4. Procures for access and correction. The procedures, if any, by which the user may 
request access to personal information about himself or herself and may request correction of that 
information; and 

5. Security. Steps taken to protect personal information from misuse or unauthorized 

access. 



SUMMARY 

This bill requires state and local entities that have websites to develop policies regarding personal 
information practices and to post notice of those policies on their websites. 



An Act to Include Analysis and Review of Information Practices in the Government 
Evaluation Act Process 

Sec. 1. 3 MRSA §956, sub-§2, %D-1 is enacted to read: 

D-l. Agency policies for collecting, managing and using personal information over the 
Internet and non-electronically, an evaluation of the agency's adherence to the fair 
information practice principles of notice, choice, access, integrity and enforcement, and 
information on the agency's implementation of information technologies. 

Sec. 2. 3 MRSA §957, sub-§l is amended to read: 

1. Authority. For each agency or independent agency or a component part of each 
agency or independent agency subject to review pursuant to section 952, the committee of 
jurisdiction may conduct an analysis and evaluation that may include, but need not be limited to, 
an evaluation of the program evaluation report, the extent to which the agency or independent 
agency operates in accordance with its legislative authority , the extent to which the agency or 
independent agency adheres to fair information principles and the degree of success achieved by 
the agency or independent agency in meeting its statutory and administrative mandate. In 
consultation with the Legislative Council, the committee shall select agencies or independent 
agencies for review either in accordance with the scheduling guidelines provided in this chapter 
or at any time determined necessary or warranted by the committee. 

SUMMARY 

This bill amends the State Government Evaluation Act to add information practices and 
implementation of information technologies to the list of issues that must be addressed in the 
agency's self-evaluation report and to include adherence to fair information practices principles to 
the list of issues that the legislative committee of jurisdiction may analyze and evaluate. 



